So it has been about a fortnight now since I set up a WordPress site for the scouts. Now in that time I have blocked 3 IP addresses for trying to guess user passwords. Now this i kind of expect there are a lot of botnets out there to try that sort of thing.
What intrigues me is how they worked out it was a WordPress site quite so quickly, and why the cracking code is not optimised to not fall foul of the standard systems that WordPress comes with to block such attacks.* Also who sets up accounts with the names: admin, manager, root.
Then again if you have a very large botnet at your disposal then you don’t have to be that sophisticated, eventually you will beat someone.
* Ok, I accept that there probably been a lot more attempts than 3, and some of them may have been smart enough that they have remained undetected.
Just probe for a URL that exists on WP sites but not on others, such as something under /wp-admin. It’s also possible to try parsing the returned page looking for standard WP-isms, but that’s probably too much like hard work when a simple probe will tell you.
You don’t even have to do the probe yourself, you used to be able to do a Google search for something like wp-admin and it would return links to all the login pages they had found.
Which amused me no end, when I found out.